On th3j35t3r's Project Looking Glass

"There’s a large mustard-mine near here. And the moral of that is — The more there is of mine, the less there is of yours." – The Duchess (Alice in Wonderland)

As many of you will have noticed, there haven’t been a lot of ‘TANGO DOWNS’ over the last few months. There is a reason for this. I decided that I should concentrate a little more on targeted intelligence gathering and a little less on the violent internet smackdown that is XerXeS and others.

I needed a way to get undisputable evidence as to the real world identity of ‘the mark’ – whatever the ‘mark’ or target was, be it Anons, Jihadist bomb plotters or forum admins, or whoever.

Over the last few months I have been running ‘Project Looking Glass’.

So what is it?

The Looking Glass is based upon the open source Browser Exploitation Framework – I used this as its truly modular framework lends itself well to me modifying and hacking it to pieces in order to get it to do what I want it to, without losing direction or straying from the confines of the original mission spec or waste time re-inventing the wheel. One of the bonuses of open-source code right?

The entire project comprises of the ‘looking glass’ server, which I will be talking about here, and numerous other ‘bait’ servers which have the the ‘hook code’ embedded in certain pages that they serve up. Once a target hits the page they immediately pop up on the looking glass HUD and information starts getting logged and a profile of the ‘mark’ starts to form.

I am not going into much more detail on this for obvious reasons. But I will say the highly targeted nature of how the hook code is served up to the ‘mark’ leaves very little room for error, mistaken identity or false positives.

Those of you familiar with BeEF will notice some differences in the screenshot above, yes Looking Glass Logs a whole bunch of stuff right from the get go and it’s searchable.

So what else is different?

Well after making a few changes to the core I was in a position to start creating some funky new intelligence gathering modules, that would live in the modules tree within it’s own separate section called – ‘Project Looking Glass’. These modules would seriously boost the effectiveness of this hybrid beast turning it into a formidable force for good (in this case).

So currently there are 12 new modules in Project Looking Glass and they are pretty nasty if you get caught on the end of one or more of them. The names are fairly self explanatory and you will notice they are all good to go with a green traffic light in this case against Firefox/Linux:

(click image to enlarge)

.

So why would I let this out of my bag?

I haven’t actually given away any operational details, they key to this is in the delivery of the hook code, location of ‘bait servers’ etc. The hook code, by the way, can also be injected using XSS into any vulnerable 3rd party website, so the target doesn't even have to hit one of my ‘bait boxes’.

Project Looking Glass is not available or downloadable to the public, although I am sure within a few hours there will be claims you can download it here there and everywhere, as was the case with XerXeS. Please be advised I never released XerXeS and I won’t be releasing Project Looking Glass. If some one says they have it, they are lying to you and most likely try to infect you with malware.

So there it is, and make no mistake bad guys, it is out there, and you won’t see it coming. Today you have seen what I can see, I tell you this as a warning. Again bad guys, Project Looking Glass has been running for months now, and not without success as we have seen.

There’s nothing you can do about it, as you have no idea how many hook code snippets are out there, where they are…….

…….or indeed whether or not you have already accidentally stumbled through the looking glass.

Peace.

There’s an unequal amount of good and bad in most things. The trick is to figure out the ratio and act accordingly.

Marc Quibell
I need a looking glass to even look at those screen shots....

1341600787

Ben Keeley
What happens to the data or session if a non-target triggers the plg/beef hook?

1341604278

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.